Basgen, Brian wrote:
Is anyone aware of research that has been done to qualify/quantify the
false negatives that commercial IPS's will pass when running on a
default configuration?
From a security officer's POV, I limit the scope of false negatives to
behavioral-based signatures that are designed to detect the types of
abnormal behavior that a large corporate entity would be concerned
with. Such behavior includes various well-known malware propagation
means (i.e network spreading, file share, spim, spam), phone home
traffic and DoS attacks, to name a few. IMO, the detection of these
types activities should be the minimal requirements of any corporate IDS
strategy. For what good is an IDS with hundreds/thousands of
signatures, if it can't even detect obvious generic attack patterns
going on in your network, where such attacks are known to be very costly
to corporate entities?
As part of my graduate studies research, I've developed a series of
tests that one can safely run in their production environment to mimic a
wide range of known malicious behaviour (such as the ones described
above) for testing any given IDS. I've applied my evaluation toolkit
against a number of commercial IDSs and have found this evaluation
approach to be extremely simple, efficient and effective.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
